Transcription

1 Computer Auditing Control Matters (Relevant to ATE Paper 8 Auditing) David Chow, FCCA, FCPA, CPA (Practising) The introduction of a computerized or electronic data processing (EDP) accounting system has not brought any changes to auditors audit objectives, i.e. to enable the auditor to express an opinion whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. However, the methods of applying audit procedures in gathering audit evidence may be influenced by the way accounting data is processed. Characteristics of Computerized Accounting Systems Computerized accounting systems have the following characteristics: (i) Audit trail A transaction trail that can be used for audit purposes might only exist for a short period of time or only be in computer readable form. This is because computerized accounting systems eliminate some steps and some documents used that would otherwise be present in manual systems. (ii) Nature of processing errors Clerical errors are ordinarily associated with manual processing. In an EDP environment, processing errors are mainly caused by programming errors or systematic errors in the hardware or software. Furthermore, in computerized systems, data must be converted into machine-readable form; this introduces the possibility of input errors, which are supposed to be detected by input controls. (iii) Central processing of transactions When transactions are centrally processed in an EDP department, sometimes many incompatible functions are combined. To keep incompatible duties separate, segregation of duties is often established. (iv) Alteration of data or files Permanent data (such as a worker s hourly rate) stored in master file can often be altered without being

2 detected; this kind of fraud may not be detected for a long time. EDP Controls The control environment in complex EDP systems is even more critical than that in more simple systems because there is greater potential for misstatement. The types of controls in an EDP system are general controls and application controls. The difference between general and application controls is illustrated in the diagram below, in which three computer applications are shown. General controls affect all three applications, but separate application controls are developed for purchases, cash payments and inventory. Although some application controls affect one or only a few transactionrelated audit objectives, most of the procedures prevent or detect several types of misstatements in all phases of the application. Relationship of General Controls and Application Controls to Audit Applications General Controls General Controls If general controls are ineffective, there may be potential for material misstatement in each computerbased accounting application. General controls relate to the environment within which systems are developed, maintained and operated. Such controls related to all parts of the EDP system and they apply to any one application. Auditors usually evaluate the effectiveness of general controls before evaluating application controls. If general controls are ineffective, there may be potential for material misstatement in each computer-based accounting application. The general controls must therefore be evaluated early in the audit. Purchases Cash payments Inventory General controls are to ensure the integrity of application development and implementation and to ensure that computer operations are properly administered to protect hardware, programmes and data files. There are five main types of general controls: (i) Organization of EDP department for purchases for cash payments for inventory 1. An application is a programme or group of programmes designed to process a particular group of transactions such as payment of creditors. No one individual should be able to (a) access the data; (b) alter the computer system or programmes; and (c) access the computer.

3 There should be segregation of duties within EDP Department, so as to prevent EDP personnel from authorizing and recording transactions to hide theft of assets, and to minimize the possibility of recording and processing errors. In principle, no one individual should be able to (a) access the data; (b) alter the computer system or programme, and (c) access the computer. Suppose that there is inadequate segregation of duties such that computer operators are also programmers and have access to computer programmes and data files, then the auditors would be concerned about the potential for fictitious transactions or unauthorised data and omissions in the accounts. Assume that the auditors find that there are inadequate safeguards over data files, they may then conclude that there is a significant risk of loss of data because the general controls affect each application. The following functions should be separated within the EDP Department: Applications and programming (design and maintenance of computer hardware and software). It is important that the programmer does not have access to input data on computer operations, since his understanding of the programme can easily be used for personal benefit. The librarian provides a means of important physical control over the computer programmes, transaction files, and other important computer records and releases them only to authorized personnel. Operations (running the computer, executing jobs). Ideally, the operator should be prevented from having sufficient knowledge of the programme to modify it immediately before or during its use. Data Control (data input and output). The function of the data control group is to test the effectiveness and efficiency of all aspects of the system. This includes the application of various controls, the quality of the input, and the reasonableness of the output. (ii) Application Development and Maintenance Controls The purpose of this general control area is to ensure that the client adequately controls computer programmes and related documentation. The primary controls are included in the design and use of systems manuals. Documentation is often the best source of information about control features within computer programmes, and thus the auditor s review of computer controls may depend, in part, on adequate documentation. Common types of computer documentation include programme flowcharts and narratives, record and file layouts and operator instructions. (iii) Hardware Controls Hardware controls are built into the equipment by the manufacturer to

4 detect equipment failure. Auditors are less concerned with the adequacy of the hardware controls in the system than with the organization s methods of handling the errors that the computer identifies. (iv) Access to Computer Equipment, Data Files and Programmes These general controls are important for safeguarding EDP equipment and records. This is accomplished through locked doors, segregation of duties, locked cabinets containing data files, passwords or security codes and reports of jobs run on the computer. (v) Data or Procedural Controls Copies of all important files and programmes should be kept off site. This may prevent losses due to accidental erasure, intentional vandalism, or catastrophic loss (e.g. because of fire). One commonlyused data storage method is the grandfather-father-son method. Application Controls are controls specific to a particular accounting application. Separate application controls are developed for different applications. must be evaluated specifically for every audit area in which the client uses the computer where the auditor plans to reduce assessed control risk. There are four main types of application controls: (i) Input controls; (ii) Processing controls; (iii) Output controls; and (iv) Controls over Master File information. are to ensure the completeness and accuracy of all processing and the validity of the accounting entries made. There are four main types of application controls: (i) Input controls Controls over input are designed to assure that the information processed by the computer is valid, complete, and accurate. These controls are critical because a large number of errors in computer systems are the results from input errors. Common input controls include check digits, batch totals, hash totals, limits or reasonableness tests, validity checks etc. (ii) Processing controls Controls over processing are designed to assure that data input into the system is accurately processed. This means that all data entered in the computer are processed, processed only once, and processed accurately. Most processing controls are also programmed controls, which mean that the computer is programmed to do the checking. Common examples include control totals, logic tests, and completeness tests. (iii) Output controls Controls over output are designed to assure that data generated by the computer are valid, accurate, and complete. Moreover, outputs should be distributed in the appropriate quantities only to authorized people. The most important output control is review of the data for reasonableness by someone who knows what the output should look like. (iv) Controls over Master File information Many transactions depend on the accuracy of information in the Master File. For example, all sales transactions depend on price list, or all payroll amounts depend on hourly rate or salary rate. User departments should get periodic reports containing the contents of the Master File. There should be procedures in place to verify that the correct version of the Master File is being used.

5 How do Auditors Test Controls in an EDP Environment? Auditors obtain information on general and application controls by: (i) interviewing EDP staff; (ii) reviewing flowcharts and documentation that describe the system and programmes; and (iii) reviewing internal control questionnaires they have given the client to complete. Audit around the computer only when: (a) the audit trail is complete; (b) processing operations are straightforward, and (c) systems documentation is complete and readily available When the audit trail is incomplete and the computer processing operations are complicated, it is inappropriate to audit around the computer. This technique should only be used when the audit trail is complete, computer-processing operations are straightforward and systems documentation is complete and readily available. Under the technique of auditing around the computer, auditors bypass the computer and treat it as a giant book-keeping machine. This is acceptable in some situations but becomes unacceptable if the relationship between the output and the input cannot be properly understood without examining the intervening computer processing, e.g. when there is no visible audit trail. Audit through the computer with: (i) audit test data; (ii) parallel simulation; and (iii) integrated test facility In more complex EDP environments, clients retain data in electronic format only. The loss of audit trail means auditors must test application controls directly by auditing through the computer. Auditors test application controls using three types of tests: (i) audit test data, (ii) parallel simulation and (iii) integrated test facility.

INTERNATIONAL STANDARD ON AUDITING 401 AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT (This Standard is effective, but will be withdrawn when ISA 315 and 330 become effective) * CONTENTS Paragraph

PART 10 COMPUTER SYSTEMS 10-1 PART 10 COMPUTER SYSTEMS The following is a general outline of steps to follow when contemplating the purchase of data processing hardware and/or software. The State Board

11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78

Internal Control Guide & Resources Section 5- Internal Control Activities & Best Practices Managers must establish internal control activities that support the five internal control components discussed

Review Questions Chapter 9 The Study of Internal Control and Assessment of Control Risk 9-1 There are seven parts of the planning phase of audits: preplan, obtain background information, obtain information

INTERNATIONAL STANDARD ON 400 RISK ASSESSMENTS AND INTERNAL CONTROL (This Standard is effective, but will be withdrawn when ISA 315 and 330 become effective) * CONTENTS Paragraph Introduction... 1-10 Inherent

Common Questions on Segregation of Duties Why should duties be segregated? What duties should be segregated? How can management determine if duties are properly segregated? What if management has inadequate

D. INTERNAL CONTROL 1. Internal Control Systems 2. The Use of Internal Control Systems by Auditors 3. Transaction Cycles 4. Tests of Control 5. The Evaluation of Internal Control Component 6. Communication

Module 7: Computer auditing Module 7: Computer auditing Overview In this module, you learn about the effects that computer processing has on both the control environment and the audit of financial systems.

5:31-7 Appendix B LOCAL AUTHORITIES - ACCOUNTING AND AUDITING AUDIT QUESTIONNAIRE FOR FIRE DISTRICT AUDITS EACH QUESTION MUST BE ANSWERED. PLEASE CIRCLE YES OR NO. IF ANY ARE NOT APPLICABLE, INSERT N/A

CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,

SESSION 8 COMPUTER ASSISTED AUDIT TECHNIQUE Learning objective: explain the use of computer assisted audit techniques in the context of an audit discuss and provide relevant examples of the use of test

Connecting the dots: IT to Business Jason Wood, CPA, CISA, CIA, CITP, CFF April 2015 1 Speaker Bio Jason Wood Over 18 years of international business experience in planning, conducting, and quality reviewing

Contributed 4/23/99 by Steve_Parker/TBE/Teledyne@teledyne.com DETAIL AUDIT PROGRAM Information Systems General Controls Review 1.0 Introduction The objectives of this audit are to review policies, procedures,

STATUTORY AUDIT Community Ambulance Service District For the year ended June 30, 2014 Oklahoma State Auditor & Inspector Gary A. Jones, CPA, CFE This publication, issued by the Oklahoma State Auditor and

Interim Audit Report Borough of Broxbourne Audit 2010/11 The Audit Commission is an independent watchdog, driving economy, efficiency and effectiveness in local public services to deliver better outcomes

Internal Control Guidelines The four basic functions of management are usually described as planning, organizing, directing, and controlling. Internal control is what we mean when we discuss the fourth

auditing in a computer-based RELEVANT TO cat paper 8 and ACCA QUALIFICATION PAPERs f8 The accounting systems of many companies, large and small, are computer-based; questions in all ACCA audit papers reflect

Chapter 15 Auditing the Expenditure Cycle Expenditure cycle consists of activities related to the acquisition of and payment for plant assets and goods and services. Two major transaction classes: 1 purchases

GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States

10-1 Auditing Business Process Auditing Business Process Objectives Understand the Auditing of the Enteties Business Process Identify the types of transactions in different Business Process Asses Control

Internal Controls and Political Committees Under the Federal Election Campaign Act (FECA) and the Commission s regulations all political committees are required to file accurate and complete disclosure

STATE OF CONNECTICUT Information System Audit Report Office Of The State Comptroller AUDITORS OF PUBLIC ACCOUNTS KEVIN P. JOHNSTON ROBERT G. JAEKLE TABLE OF CONTENTS EXECUTIVE SUMMARY...1 AUDIT OBJECTIVES,

Activity Code 11510 B-1 Planning Considerations Information Technology General System Controls Audit Specific Independence Determination Members of the audit team and internal specialists consulting on

4 Testing General and Automated Controls Learning Objectives To understand the reasons for testing; To have an idea about Audit Planning and Testing; To discuss testing critical control points; To learn

IT Audit Monograph Series # 1 Information Technology Audit General Principles Introductory As computer technology has advanced, Government organisations have become increasingly dependent on computerised

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR Audit of Center City Development & Operations Department Parking Revenue Project No. AU14-010 September 25, 2014 Kevin W. Barthold, CPA, CIA, CISA City Auditor

REVENUE REGULATIONS NO. 9-2009 issued on December 29, 2009 defines the requirements, obligations and responsibilities imposed on taxpayers for the maintenance, retention and submission of electronic records.

United States General Accounting Office This release of the FISCAM document has been reformatted from the January 1999 version. It includes only formatting changes, refers to several different GAO documents,

BASIC POLICY STATEMENT The Mikva Challenge is committed to responsible financial management. The entire organization including the board of directors, administrators, and staff will work together to make

CHAPTER INFORMATION SYSTEM AUDITING AND ASSURANCE As more and more accounting and business systems were automated, it became more and more evident that the field of auditing had to change. As the systems

SOLUTION 1(a) (a) The Auditing guideline points out that the amount or quantity of audit evidence required for the auditor to achieve the level of assurance is a matter of professional judgment. The factors

TRANSFERRING INTERNAL CONTROL KNOWLEDGE FROM LEGISLATION TO SCHOOL MANAGEMENT: THE CASE OF SLOVENIA Tatjana Horvat International School for Social and Business Studies, Slovenia tatjana.horvat@mfdps.si

Types of and Recent Cases Developing an Effective Anti-fraud Program from the Top Down 1 Types of and Recent Cases Chris Grippa (404-817-5945) FIDS Senior Manager with Ernst & Young LLP Works with clients

Audit Manual PART TWO SYSTEM BASED AUDIT Table of content 1. Introduction...3 2. Systems based audit...4 2.1. Preparing for & planning the audit assignment...5 2.2. Ascertaining and recording the system...7

CHAPTER CONTROLLING COMPUTER-BASED INFORMATION SYSTEMS, PART I The basic topic of internal control was introduced in 3. These next two chapters discuss the implications of automating the accounting information

1 Internal Control Requirements December 11, 2002 Internal controls are mechanisms, policies, and procedures used to minimize and monitor operational risks. In order to deter employees and/or members from

GAO United States General Accounting Office Internal Control November 1999 Standards for Internal Control in the Federal Government GAO/AIMD-00-21.3.1 Foreword Federal policymakers and program managers

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 This report has been prepared on the basis of the limitations set

Fundamentals of Computer and Internet Fraud WORLD HEADQUARTERS THE GREGOR BUILDING 716 WEST AVE AUSTIN, TX 78701-2727 USA II. THE USE OF COMPUTERS IN OCCUPATIONAL FRAUD Occupational fraud refers to the

Internal Controls over Cash for Small Nonprofits Internal controls may be a sensitive issue in small nonprofit organizations. These organizations are built on the concepts of honesty, truthfulness, and

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act* July 2004 *connectedthinking The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act Introduction

An Audit Report on The Health and Human Services Commission s Consolidation of Administrative Support Functions Report No. 06-009 John Keel, CPA State Auditor An Audit Report on The Health and Human Services

Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

Internal Control An Overview August 2007 Internal Control - An Overview 1 Internal Control? August 2007 Internal Control - An Overview 2 Management s Role Management s role is to provide leadership that

Fraud Checklist Client Name Disclosing entity Prepared by Reviewed by Partner review Balance Date Close Monitoring Date Date Date How to use this checklist An initial assessment of the risk that irregularities

CHAPTER ETHICS, FRAUD, AND INTERNAL CONTROL The three topics of this chapter are closely related. Ethics is a hallmark of the accounting profession. The principles which guide a manager s decision making

CPA Student Training Records INDEX Page Introduction 1 The Route to Membership 2 The Structure of the Training Record 3 Note for Employers 3 Note for Students 4 Section A Detailed Record of Practical Experience

Suspicious Personal Identifying Information Documents provided for identification appear to have been altered or forged. The photo or physical description of the person is not consistent with the appearance

until further notice 1 (11) Applicable to central securities depositories Guideline on risk management and other aspects of internal control in central securities depository By virtue of section 4, paragraph

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS Workpaper Reference Date(s) Completed Organization and Staffing procedures used to define the organization of the IT Department. 2. Review the organization

THOMAS P. DiNAPOLI COMPTROLLER STATE OF NEW YORK OFFICE OF THE STATE COMPTROLLER 110 STATE STREET ALBANY, NEW YORK 12236 STEVEN J. HANCOX DEPUTY COMPTROLLER DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

Audit Report Subsequent Injury Fund September 2011 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY This report and any related follow-up correspondence are available